`okta_policy_mfa_default` sending priority from terraform state causes API errors

[tmonck]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.9.8
on darwin_arm64
+ provider registry.terraform.io/okta/okta v4.11.0

Affected Resource(s)

• okta_policy_mfa_default

Terraform Configuration Files

resource "okta_policy_mfa_default" "default_policy" {
  is_oie = false

  okta_otp = {
    enroll = "OPTIONAL"
  }

  google_otp = {
    enroll = "OPTIONAL"
  }

  okta_email = {
    enroll = "REQUIRED"
  }
}

Debug Output

│ Error: failed to update default MFA policy: the API returned an error: Cannot modify the priority attribute because it is read-only. │ │ with okta_policy_mfa_default.default_policy, │ on mfa.tf line 25, in resource "okta_policy_mfa_default" "default_policy": │ 25: resource "okta_policy_mfa_default" "default_policy" { │

Panic Output

Expected Behavior

The default MFA policy should not error during updates.

Can this be done in the Admin UI?

No

Can this be done in the actual API call?

I don't know

Actual Behavior

The default MFA policy errors out due to priority being passed.

Steps to Reproduce

1. terraform apply
2. Add another mfa policy either via the UI
3. terraform apply
4. Remove the newly added policy via the UI
5. terraform apply
6. Update the terraform to have a modification on the default MFA policy. (Change something from required to optional or not allowed)
7. terraform apply

Step 7 should error out.

Any changes that cause the priority value in the terraform state to differ from what is actually returned via the API for policies seems to trigger the error condition.

Important Factoids

References

• 0000

[duytiennguyen-okta]

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-822267